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A Formally Specified Type System and Operational Semantics 
for Higher-Order Procedural Variables 

T. Crolard and E. Polonowski 
May 14, 2009 

Abstract 

We formally specified the type system and operational semantics of Loop" with Ott and Isabelle/HOL proof 
assistant. Moreover, both the type system and the semantics of Loop" have been tested using Isabelle/HOL program 
extraction facility for inductively defined relations. In particular, the program that computes the Ackermann function 
type checks and behaves as expected. The main difference (apart from the choice of an Ada-like concrete syntax) with 
Loop" comes from the treatment of parameter passing. Indeed, since Ott does not currently fully support a-conversion, 
we rephrased the operational semantics with explicit aliasing in order to implement the out parameter passing mode. 

Introduction 

We formally specified the type system and operational semantics of Loop" as described in |CPV09j with Ott [SNO + 07 
and Isabelle/HOL proof assistant |NP W02] . Moreover, both the type system and the semantics of Loop" have been tested 
using Isabelle/HOL program extraction facility for inductively defined relations [BN02 . In particular, the program that 
computes the Ackermann function (reproduced below) type checks and behaves as expected. 

The main difference (apart from the choice of an Ada-like concrete syntax) with the description given in [CPV09 comes 
from the treatment of parameter passing. Indeed, since Ott does not currently fully support a-conversion, we rephrased 
the operational semantics with explicit aliasing in order to implement the out parameter passing mode (instead of a 
simpler substitution-based semantics as in |CPV09j ). On the other hand, the in parameter passing mode is implemented 
exactly as in [CP V09] and relies on Ott generated substitution (see the Isabelle/HOL code given in appendix). 

Section 1 contains the description of an Ada-like grammar for Loop". We then present the type system in Section 2 and 
the structural operational semantic in section 3. Finally, in the appendix we include the Isabelle/HOL theory generated 
by Ott (all source files are available on request). 

Example: the Ackermann function 

procedure Ack(M : in int; N : in int; R : out int) is 

P : proc(m int, out int) := Incr, 
begin 

for / in 1 . . M loop 
declare 

Q : constant proc(\n int, out int) := P; 
procedure Aux(S : in int; R : out int) is 

X : int := 0; 
begin 

Q(h X); 

for J in 1 . . S loop 

Q(X, X); 
end loop; 
R := X; 
end; 
begin 

P := Aur, 
end; 
end loop; 
P(N, R); 

end; 
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1 Syntax 



index, i, j , /, n 
ident, x, y, z, p, f 
number, q 
terminals ::= 



indices 
idents 



h 



x 



I > 



mode, m 



modes: 



integer, k 



boolean, b 



in 

out 
in out 



{ h + k 2 } 
{ h - k 2 } 
{ki x k 2 } 



true 
false 

{ bi and 62 } 
{ 61 or 62 } 
{ not b } 

{ h = k 2 } 
ki > k 2 
h < k 2 



exp, e 



x 
v 

e L + e 2 
e L - e 2 
ei X e 2 
e\ = e 2 
ei > e 2 
e\ < e 2 
e\ and e 2 
ei or e 2 
not e 
(e) 



terms: 
var 
value 
addition 
subtraction 
multiplication 
equality 
greater 
less 

conjunction 
disjunction 
negation 
parentheses 



store, /1 



store 



trace, tr 



| [(ci, m)..(c nj n„)] 



formula 



formulai 
judgement 
x = x' 
x ± x' 
5 = 5' 
5^5' 
m — m' 
m 7^ m' 
k> k' 
k<k' 



formula n 



env, T 



{} 

{xi 5i , ... , s„ 5 n } 

r, k5 
r 

r, ii <5i , .... , x n <5 n 
r,«5 



contexts: 

empty context 
explicit context 
ident declaration 
parentheses 
idents declaration 
anonymous declaration 



cmd, c 



null 

x := e 
ci ; C2 

if e then ci ; else c 2 ; end if 

while e loop c ; end loop 

(c) 
? 

declare d 

for x in e . . e' loop c ; end loop 

e ( ei , .. , e n ) 



S 
S 

bind x in c 



commands: 
null 

assignment 
sequence 
conditional 
while loop 



declaration 
for loop 
Procedure call 



? 
6 

proc ( x\ : m\T\\ 



m n t„ ) is d bind xi..x n in d 



constants: 

integer constant 
boolean true 



ty, r 



mt 
bool 

proc (min, .. , m n t„ ) 
void 



types: 



Procedure 
void 



: m r 
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d [v I x] 
begin end 
begin c ; end 

x : t ; d 

x : t :— e ; d 

x : constant r := e ; d 

procedure p ( si : mm; 

[xi : mm = ei , .. , x n 
(x : mT = e ) d 



; X n • 
Tflji TV] 



m n T n 
— &n 



I is dl ; ^2 



M 



bind a; in ci 
bind :r in d 
bind £ in ci 
bind xi..x n in c?i 
bind x\..Xn in d 
bind x in d 



Empty 
Block 

Uninit. variable 

Init. variable 

Constant 

Proc 

Aliases 

Alias 



value 



value 



evaLexp 



Fetch 

Expression evaluation 



typing 



xS e r 

r h e : t 

8 e r 

r h e ~ m t 
r h (ei, .., ei\ 
T h o! : deel 
r h c : comm 



( mi n , .. , m„ t„ ] 



Lookup 

Expression typing 
LookupD 
Match 
MatchList 
Declaration typing 
Command typing 



evaLcomm 



fi{x <— v} i— » /i' 

(c;m) ^ k tr 

( c ; n ) ^ ^' 

(|x/:mM|)#(lc'l) 

(d, ^ (d' , »') 



— [ | x n : nt n T n — 6 n | ] 



Store Update 
Many Steps 
Trace 

Full evaluation 

Compatibility 

One step evaluation 

Declaration evaluation 



judgement 



evaLexp 

typing 

evaLcomm 



user syntax ::= 

index 

ident 

number 

terminals 

mode 

integer 

boolean 

exp 

store 

trace 

formula 

env 

cmd 

va 

ty 

I S 

del 
value 
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2 Type System 

Lookup 



Expression typing 



LookupD 



x 8 e r , x s 
x x' x s e r 

x 8 € r, x'S> 



(Lookupl ) 



(Lookup2) 



m ^ out x : tut G Y 



T h x : r 



T h q : int 



T h true : bool 



(Var) 



(IntCst) 



(BoolTrue) 



(BoolFalse) 



V V- false : bool 
T h ei : int T h e 2 : int 





rh ei 


+ e2 : int 




r h 


ei : int 


r 


h e 2 : 


int 




T h ei 


- e 2 


: int 




r h 


ei : int 


r 


h e 2 : 


int 




T h ei 


x e 2 


: int 




r 


h ei : r 


r 


h e 2 : 


r 




T h ei = 


= e 2 


: bool 




r h 


ei : int 


r i 


~ e 2 : 


int 



T h ei > e 2 : bool 

r h ei : int T h e 2 : int 
T h ei < e 2 : bool 

T I- ei : bool V h e 2 : bool 
r h ei and e 2 : bool 

r h ei : bool T h e 2 : bool 



T h ei or e 2 : bool 

The: bool 
T h not e : bool 



(Plus) 
(Minus) 
( Times ) 
(Equal) 
(Greater) 
(Less ) 

- (And) 

- (Or) 



(Not) 



s e r, xS 

8^8' 8 e V 

8 e r , x 8' 



(LookupDl ) 



(LookupD2) 



x8 <= r 



T h e : r 



<5 g r 



•5 



Match 



T h e ~ m t 



T h e : r 
T I- e ~ in- 



(Matchl ) 



x : mr G T m ^ in 
rh i ~ outr 



(Match2) 



x : inoutr G T 
F h I ~ in outr 



(Match3) 



MatchList 



T h ( ei , .. , ej ) ~ ( mi ti , .. , m„ r„ 



r h ( ) ~ ( ) 



(MatchListl ] 



Declaration typing 



T h e ~ m t T h ( ei , .. , ej ) ~ ( mi n , .. , m n r n ) 
T h (e , ei , .. , ei) ~ (fflr,miTi,..,m,T„) 



(Empty) 



(MatchList2) 



r h d : decl 



T h begin end : decl 

r h c : comm 
r h begin c ; end : decl 

r , x : in out r h d : decl 
r h x : r ; d : decl 

r h e : r r, x : inoutr h ci : decl 



Y \- x : t := e; d : decl 
rhe:r r,s:inrl-ci: decl 



(Block) 
( UninitVar) 

(InitVar) 



( Constant ) 



T h x : constant r := e; d : decl 

r , xi : mi Ti , .. , x n : m n T n h d\ : decl r , p : in proc ( mi Ti , .. , m n t„ ) h ^2 : decl 
r h procedurep ( xi : mi Ti ; .. ; Xn : m n r„ ) is di ; cfe : decl 



(Proc) 



Command typing 



r h c : comm 



r h null : comm 



r h ci : comm T h C2 : comm 
T h ci ; C2 : comm 

to / in x : to r G r rhe:r 
r h x := e : comm 

The: bool T h ci : comm V h C2 : comm 
T h if e then ci ; else C2 ; end if : comm 



OSes) 



(Assign) 



(IfThenElse) 



r h e : bool The: comm 



r h while e loop c ; end loop : comm 

F h e : int T h e : int T , x : in int h c : comm 
T h for x in e . . e' loop c ; end loop : comm 



(For) 



G 



r h d : decl 



(Decl) 



r h declare d : comm 

The: proc ( mi n , .. , m n t„ ) T h ( gi , .. , e; ) ~ ( m t n , .. , m„ t„ ) 
T h e ( ei , .. , e; ) : comm 



(ProcCall) 



3 Structural Operational Semantics 

Fetch 



Expression evaluation 



Store Update 



x ^ x' n(x) = v 
(n , x' <— u' ) ( £ ) = w 



(Fetch2) 



(E_Value) 



fi(x) — v 



(EJdent) 



ei = M fa e2 =n, fa 



ei 


+ e 2 = M { fa + fa } 


ei 


= M fa e2 =n fa 


ei 


- e 2 = M { fa - fa } 


ei 


= M fa e2 = M fa 


ei 


x e 2 = M { fa x fa } 


ei 


=n fa e 2 = M fa 



ei > e 2 = M fa > fa 

gi =jx fa e 2 = M fa 
ei < e 2 = M fa < fa 

ei =m fa e2 = M fa 
ei = e 2 = M { fa = fa } 

ei = M 61 e 2 = M 62 
ei and e 2 = M { 61 and 62 } 

ei =m fa e2 = M 62 
ei or e 2 = M { 61 or 62 } 

e =„ 6 



(E_Plus) 
(E_Mmus ) 
(E_Tvmes) 
(E.Greater) 

(E.Less) 
(E .Equal) 

(E_And) 
(E.Or) 



not e = M { not 6 } 



(E_Not) 



x ^= x' fj, { X <— l/ } I— > /i' 

((J,, x' <— t) ) { a; <— } I— » (fx' , x' <— 1; ) 



(Update2) 



fj,(x) = u 



{ £ <— «; } 1— » // 
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Many Steps 



(c, /i) ^{c^} (ManyStepsl) 



(null, fi) i— » fc (null, /i) 



(ManySteps2) 



(c,/x> (c',/x') (c',/n') 



<c",M"> 



(c,M> <c",M"> 



(ManySteps3) 



Trace 



(c;/x> Ar 



( C;M > =*°[ ] 



(Tracel) 



(null; M> 



(Traced) 



(c,A«> | - > (c',/i'> (c';/x'> 



[( gl , /i'l ) ■■ ( d , Mn) ] 



(c; M > [(c',M'>(c;,Mi>"<c;, ^ > ] 



{Trace3) 



Full evaluation 



( c ; M > ~* A*' 



( null ; fi) ~+ [i 



{Evall ) 



( c ; A* > ~> A 4 " 



(Eval2) 



Compatibility 



( \x'i : m[r[\ ) # ( \e'j\ ) = [ js„ : m„r„ = e„| ] 



()#()=[] 



(E_Compatl ) 



( In- : m-r-l ) # ( | ej| ) = [ |z„ : m„r„ = e„| 



(a : mrja;/ : to,'t?| ) # ( e |e'| ) = [x : mr = e |av, : m„r„ = e n | 



(E_Compat2) 



One step evaluation 



(c,a») h-» (c',//) 



((null; c),/x) h-» (c,a*> 



(E.Null) 



((ci; c 2 ),At) ^((ci; c 2 ),At'} 



e =n v fj,{x ^- v} t— * n' 
{(x := e),n) h-» (null, /u') 



(E_Assign) 



(( if e then ci ; else C2 ; end if ), fi) i— » (ci, /z) 



(E.IfThenElsel ) 



e = M false 



(( if e then ci ; else c 2 ; end if ), /i) i— » (c 2 , At) 



(EJfThenElse2) 



e = M false 



((while e loop c ; end loop ), fi) i— » (null, /x) 



(E.Whilel) 
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(( while e loop c ; end loop ), fx) \— » (( c ; while e loop c ; end loop ), fx) 

(E_Decll ) 



(E.While2) 



(declare begin end, fx) i— » (null, /j,} 

(declare d, fx) i— » (declare d', //) 

6 =M fc e ' " M fc ' fc > fc ' ( £_Fori ) 

(( for x in e . . e' loop c ; end loop ), fx) i— » (null, /i) 



((for x in e . . e' loop c ; end loop ), fx) i— » (( declare s : constant int := k ; begin c ; end ; for x in { fe + 1 } . . k' loop c ; end loop ), fx) 

e = M proc ( \x[ : m--r-| ) is d ( : m-r/ ) # ( j_e£j ) = [ \x n : m n r n = e n \] (e ProcCall) 
(e ( |ej| ),fx) h-» (declare[|a;„ : m„r„ = e„\] d,fx) 

Declaration evaluation j (d , fx) i— » (d' , fx' } 



( begin null ; end , // ) i— » ( begin end , pi ) 

(c,fx) h-» (c',/i') 



{E_Blockl ) 



{E_Block2) 



( begin c ; end , /i } i— > ( begin c' ; end , fi! ) 

(EJnitVarl) 



(EJnitVar2) 



{ x : t :— e ; begin end , fx ) i— » ( begin end , /i } 

e = M t; ( d , ( fi , a: <- v ) ) t-> ( d' , ( // , x <— t/ ) ) 
(a : r := e ; d , fx) i— » (a; : r := v' ; d' , fx') 

: , ; (E_Constl ) 

(a: : constant r := e ; begin end , fx ) i— » ( begin end , /i ) 



e =f " (jil/^L AO ^ (JLlS) r E Const2) 

( x : constant t := e ; d , fx) t— >(s: constant r := u ; d' , fx') 



(E_Proc) 



( procedure p ( |x„ : m„r n | ) is di ; d , /tt) h-» ( d [proc ( |av, : m„r„| ) is di / p] , ^} 
((a; : mr = e ) begin end , fi ) i— » ( begin end , fx } (E-Aliasl) 

6 ^ V . (AllM^l {E-Alias2) 
{(x : in r = e) a , fx) i— » {d, fx' ) 

m ^ \n ix(y) = v ( d , ( fx , x ^ v )) ^ ( d' , ( fi' , x ^ v' )) fx' { y *- v' } i-> //' 
( ( a: : mr = y) d , fx) i— » ( ( a: : mr = y) d' , fx") 

— — — {E_AHasesl ) 

([ ] d, /i) i-» (d, //) 

(E_Aliases2) 



(E_Alias3) 



{ [ \x n : m n T n = e n \] begin end , ^) i-» ( begin end , /i) 

( ( g : m r = e ) [ | z„ : m„r„ = e» j ] d , /j ) i-> { d' , fx' ) 
([x : mr = e , \x n : m n r n = e„\ ] d , fx) i-» (d' , fx') 



(E_Aliases3) 
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A Generated Isabelle/HOL theory 



(* generated by Ott 0.10.17 from: _source-l-s . ott _source-l . ott _source-2-s . ott _source-2 . ott 

_source-3-s . ott _source-3 . ott _source-4. ott source. ott *) 

theory source 

imports Main Multiset 

begin 

(** syntax *) 

types "index" = "nat" 

types "ident" = "string" 

types "number" = "int" 

types "integer" = "int" 
datatype "mode" = 
M_In 

I M_0ut 

I M_In0ut 

types "boolean" = "bool" 
datatype "ty" = 
T_Int 
I T_Bool 

I T_Proc "(mode*ty) list" 
I T_Void 

datatype "del" = 
D_Empty 
I D_Block "cmd" 

I DJJninitVar "ident" "ty" "del" 
I D_InitVar "ident" "ty" "exp" "del" 
I D_Constant "ident" "ty" "exp" "del" 
I D_Proc "ident" " (ident*mode*ty) list" "del" "del" 
I D_Aliases " (ident*mode*ty*exp) list" "del" 
I D_Alias "ident" "mode" "ty" "exp" "del" 
and "va" = 

V_Int "integer" 
I V_Bool "boolean" 

I V_Proc "(ident*mode*ty) list" "del" 
and "cmd" = 
C_Null 

I C_Assign "ident" "exp" 

I C_Seq "cmd" "cmd" 

I C_IfThenElse "exp" "cmd" "cmd" 

I C_While "exp" "cmd" 

I C_Decl "del" 

I C_For "ident" "exp" "exp" "cmd" 
I C_ProcCall "exp" "exp list" 
and "exp" = 

E_Var "ident" 
I E_Value "va" 
I E_Plus "exp" "exp" 
I E_Minus "exp" "exp" 
I E_Times "exp" "exp" 
I E_Equal "exp" "exp" 
I E_Greater "exp" "exp" 
I E_Less "exp" "exp" 
I E_And "exp" "exp" 
I E_0r "exp" "exp" 
I E_Not "exp" 

datatype "df" = 

VarDecl "mode" "ty" 
I ReturnType "ty" 
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types "store" = "(ident*va) list" 
types "env" = "(ident*df) list" 
types "trace" = "(cmd*store) list" 



(** library functions *) 
lemma [mono] : " 

(!! x. fx — > g x) ==> list.all (7.b. b) (map f foo_list)— > 
list_all (7„b. b) (map g foo_list) " 
apply (induct_tac foo_list, auto) done 

lemma [mono] : "split f p = f (fst p) (snd p) " by (simp add: split_def) 



(** subrules *) 
consts 

is_value_of _exp 
primrec 

"is_value_of _exp 
"is_value_of _exp 
"is_value_of _exp 
"is_value_of _exp 
"is_value_of _exp 
"is_value_of _exp 
"is_value_of _exp 
"is_value_of _exp 
"is_value_of _exp 
"is_value_of _exp 
"is_value_of _exp 



: : "exp => bool" 

(E_Var x) = (False)" 
(E_Value v) = ((True))" 
(E_Plus el e2) = (False)" 
(E_Minus el e2) = (False)" 
(E_Times el e2) = (False)" 
(E_Equal el e2) = (False)" 
(E_Greater el e2) = (False) 1 
(E_Less el e2) = (False)" 
(E_And el e2) = (False)" 
(E_0r el e2) = (False)" 
(E_Not e) = (False)" 



(** substitutions *) 
consts 

subst_ty_exp :: "exp => ident => (ty*exp) => (ty*exp) " 
subst_mode_ty_exp :: "exp => ident => mode* (ty*exp) => mode* (ty*exp) " 

subst_ident_mode_ty_exp :: "exp => ident => ident* (mode*ty*exp) => ident* (mode*ty*exp) " 
subst_ident_mode_ty_exp_list : : "exp => ident => (ident*mode*ty*exp) list => (ident*mode*ty*exp) 
list" 

subst_dcl : : "exp => ident => del => del" 
subst_va : : "exp => ident => va => va" 

subst_exp_list : : "exp => ident => exp list => exp list" 
subst_cmd : : "exp => ident => cmd => cmd" 
subst_exp : : "exp => ident => exp => exp" 
primrec 

"subst_ty_exp e_5 x_5 (tyl.expl) = (tyl , subst_exp e_5 x_5 expl) " 

"subst_mode_ty_exp e_5 x_5 (model ,ty_expl) = (model , subst_ty_exp e_5 x_5 ty_expl)" 
"subst_ident_mode_ty_exp e_5 x_5 (identl ,mode_ty_expl) = (identl , subst_mode_ty_exp e_5 x_5 
mode_ty_expl) " 

"subst_ident_mode_ty_exp_list e_5 x_5 Nil = (Nil)" 

"subst_ident_mode_ty_exp_list e_5 x_5 (ident_mode_ty_exp_0#ident_mode_ty_exp_list_0) = 

( (subst_ident_mode_ty_exp e_5 x_5 ident_mode_ty_exp_0) # (subst_ident_mode_ty_exp_list e_5 x_5 

ident_mode_ty_exp_list_0) ) " 

"subst_dcl e_5 x_5 D_Empty = (D_Empty )" 

"subst_dcl e_5 x_5 (D_Block c) = (D_Block (subst_cmd e_5 x_5 c))" 

"subst_dcl e_5 x_5 (D_UninitVar x T d) = (D_UninitVar x T (if x_5 mem [x] then d else (subst_dcl 
e_5 x_5 d)))" 

"subst_dcl e_5 x_5 (D_InitVar x T e d) = (D_InitVar x T (subst_exp e_5 x_5 e) (if x_5 mem [x] then 
d else (subst_dcl e_5 x_5 d) ) ) " 

"subst_dcl e_5 x_5 (D_Constant x T e d) = (D_Constant x T (subst_exp e_5 x_5 e) (if x_5 mem [x] 
then d else (subst_dcl e_5 x_5 d) ) ) " 

"subst_dcl e_5 x_5 (D_Proc p (x_m_T_list) dl d2) = (D_Proc p x_m_T_list (if x_5 mem (List. map 
C/.((x_0: : ident) , (m_0: :mode) , (T_0: :ty)) .x_0) x_m_T_list) then dl else (subst_dcl e_5 x_5 dl)) 
(subst_dcl e_5 x_5 d2))" 

"subst_dcl e_5 x_5 (D_Aliases (x_m_T_e_list) d) = (D_Aliases (subst_ident_mode_ty_exp_list e_5 x_5 
x_m_T_e_list) (if x_5 mem (List. map ('/,( (x_0 :: ident) , (m_0 :: mode) , (T_0 :: ty) , (e_0 :: exp) ). x_0) 
x_m_T_e_list) then d else (subst_dcl e_5 x_5 d) ) ) " 

"subst_dcl e_5 x_5 (D_Alias x m T e d) = (D_Alias x m T (subst_exp e_5 x_5 e) (if x_5 mem [x] then 
d else (subst_dcl e_5 x_5 d) ) ) " 
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subst_va e5 x_5 (V_Int k) = (V_Int k) " 
subst_va e5 x_5 (V_Bool b) = (V_Bool b) " 

subst_va e5 x_5 (V_Proc (x_m_T_list) d) = (V_Proc x_m_T_list (if x_5 mem (List. map 
(7.((x_0: :ident) , (m_0: :mode) , (T_0: :ty)) .x_0) x_m_T_list) then d else (subst_dcl e5 x_5 d)))" 
subst_exp_list e_5 x5 Nil = (Nil) " 

subst_exp_list e_5 x5 (exp_0#exp_list_0) = ((subst_exp e_5 x5 exp_0) # (subst_exp_list e_5 x5 
exp_list_0))" 
subst_cmd e_5 x5 C_Null = (C_Null )" 

subst_cmd e_5 x5 (C_Assign x e) = (C_Assign x (subst_exp e_5 x5 e))" 

subst_cmd e_5 x5 (C_Seq cl c2) = (C_Seq (subst_cmd e_5 x5 cl) (subst_cmd e_5 x5 c2))" 
subst_cmd e_5 x5 (C_If ThenElse e cl c2) = (C_If ThenElse (subst_exp e_5 x5 e) (subst_cmd e_5 x5 cl) 
(subst_cmd e_5 x5 c2))" 
subst_cmd e_5 x5 (C_While e c) = (C_While (subst_exp e_5 x5 e) (subst_cmd e_5 x5 c))" 
subst_cmd e_5 x5 (C_Decl d) = (C_Decl (subst_dcl e_5 x5 d) ) " 

subst_cmd e_5 x5 (C_For x e e' c) = (C_For x (subst_exp e_5 x5 e) (subst_exp e_5 x5 e') (if x5 mem 
[x] then c else (subst_cmd e_5 x5 c)))" 

subst_cmd e_5 x5 (C_ProcCall e (e_list)) = (C_ProcCall (subst_exp e_5 x5 e) (subst_exp_list e_5 x5 
e.list))" 

subst_exp e_5 x5 (E_Var x) = ((if x=x5 then e_5 else (E_Var x) ) ) " 
subst_exp e_5 x5 (E_Value v) = (E_Value (subst_va e_5 x5 v))" 

subst_exp e_5 x5 (E_Plus el e2) = (E_Plus (subst_exp e_5 x5 el) (subst_exp e_5 x5 e2))" 
subst_exp e_5 x5 (E_Minus el e2) = (E_Minus (subst_exp e_5 x5 el) (subst_exp e_5 x5 e2))" 
subst_exp e_5 x5 (E_Times el e2) = (E_Times (subst_exp e_5 x5 el) (subst_exp e_5 x5 e2))" 
subst_exp e_5 x5 (E_Equal el e2) = (E_Equal (subst_exp e_5 x5 el) (subst_exp e_5 x5 e2))" 
subst_exp e_5 x5 (E_Greater el e2) = (E_Greater (subst_exp e_5 x5 el) (subst_exp e_5 x5 e2))" 
subst_exp e_5 x5 (E_Less el e2) = (E_Less (subst_exp e_5 x5 el) (subst_exp e_5 x5 e2))" 
subst_exp e_5 x5 (E_And el e2) = (E_And (subst_exp e_5 x5 el) (subst_exp e_5 x5 e2))" 
subst_exp e_5 x5 (E_Or el e2) = (E_Or (subst_exp e_5 x5 el) (subst_exp e_5 x5 e2))" 
subst_exp e_5 x5 (E_Not e) = (E_Not (subst_exp e_5 x5 e))" 



(** definitions *) 
(*defns eval_exp *) 

inductive Fetch : : "store \<Rightarrow> ident \<Rightarrow> va \<Rightarrow> bool" 

and ExpEval : : "exp \<Rightarrow> store \<Rightarrow> va \<Rightarrow> bool" 
where 

(* defn Fetch *) 



Fetchll: "Fetch ( ( ( x , v )# mu ) ) (x) (v) " 

I Fetch2I: "\<lbrakk> x ~= x' ; 

Fetch (mu) (x) (v)\<rbrakk> \<Longrightarrow> 

Fetch ( (( x' , v' )# mu ) ) (x) (v) " 

I (* defn ExpEval *) 

E_ValueI: "ExpEval ( (E_Value v)) (mu) (v) " 



I E_IdentI: "\<lbrakk>Fetch (mu) (x) (v)\<rbrakk> \<Longrightarrow> 
ExpEval ((E_Var x)) (mu) (v) " 

I E.PlusI: "\<lbrakk>ExpEval (el) (mu) ((V_Int kl)) ; 
ExpEval (e2) (mu) ((V_Int k2) ) \<rbrakk> \<Longrightarrow> 
ExpEval ((E_Plus el e2)) (mu) ((V_Int ( kl + k2 ) ) ) " 

I E_MinusI: "\<lbrakk>ExpEval (el) (mu) ((V_Int kl)) ; 
ExpEval (e2) (mu) ((V_Int k2) ) \<rbrakk> \<Longrightarrow> 
ExpEval ((E_Minus el e2)) (mu) ((V_Int ( kl - k2 ) ) ) " 

I E.TimesI: "\<lbrakk>ExpEval (el) (mu) ((V_Int kl)) ; 
ExpEval (e2) (mu) ((V_Int k2) ) \<rbrakk> \<Longrightarrow> 
ExpEval ((E_Times el e2)) (mu) ((V_Int ( kl * k2 ) ) ) " 



I E_GreaterI: "\<lbrakk>ExpEval (el) (mu) ((V_Int kl)) ; 
ExpEval (e2) (mu) ((V_Int k2) ) \<rbrakk> \<Longrightarrow> 
ExpEval ((E_Greater el e2)) (mu) ((V_Bool ( kl > k2 ) ) ) " 
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I E_LessI: "\<lbrakk>ExpEval (el) (mu) ((V_Int kl)) ; 
ExpEval (e2) (mu) ((V_Int k2) ) \<rbrakk> \<Longrightarrow> 
ExpEval ((E_Less el e2)) (mu) ((V_Bool ( kl < k2 ) ) ) " 

I E_EqualI: "\<lbrakk>ExpEval (el) (mu) ((V_Int kl)) ; 
ExpEval (e2) (mu) ((V_Int k2) ) \<rbrakk> \<Longrightarrow> 
ExpEval ((E_Equal el e2)) (mu) ( (V_Bool ( kl = k2 ) ) ) " 

I E_AndI: "\<lbrakk>ExpEval (el) (mu) ((V_Bool bl)) ; 
ExpEval (e2) (mu) ((V_Bool b2) )\<rbrakk> \<Longrightarrow> 
ExpEval ((E_And el e2)) (mu) ((V_Bool ( bl \<and> b2 ) ))" 

I E_OrI: "\<lbrakk>ExpEval (el) (mu) ((V_Bool bl)) ; 
ExpEval (e2) (mu) ((V_Bool b2) )\<rbrakk> \<Longrightarrow> 
ExpEval ((E_Or el e2)) (mu) ((V_Bool ( bl \<or> b2 ) ))" 

I E_NotI: "\<lbrakk>ExpEval (e) (mu) ((V_Bool b))\<rbrakk> \<Longrightarrow> 
ExpEval ( (E_Not e)) (mu) ((V_Bool (\<not> b ) ))" 

(*defns typing *) 

inductive Lookup : : "ident \<Rightarrow> df \<Rightarrow> env \<Rightarrow> bool" 
and ExpTyping : : "env \<Rightarrow> exp \<Rightarrow> ty \<Rightarrow> bool" 
and LookupD : : "df \<Rightarrow> env \<Rightarrow> bool" 

and Match : : "env \<Rightarrow> exp \<Rightarrow> mode \<Rightarrow> ty \<Rightarrow> bool" 
and MatchList : : "env \<Rightarrow> exp list \<Rightarrow> (mode*ty) list \<Rightarrow> bool" 
and DeclTyping : : "env \<Rightarrow> del \<Rightarrow> bool" 
and CommTyping : : "env \<Rightarrow> cmd \<Rightarrow> bool" 
where 

(* defn Lookup *) 

LookuplI: "Lookup (x) (df) ( ( ( x , df ) # G ) )" 

I Lookup2I: "\<lbrakk> x "= x> ; 

Lookup (x) (df) (G)\<rbrakk> \<Longrightarrow> 

Lookup (x) (df) ( (( x> , df ) # G ) ) " 

I (* defn ExpTyping *) 

Varl: "\<lbrakk> m "= M_0ut ; 

Lookup (x) ((VarDecl m T) ) (G)\<rbrakk> \<Longrightarrow> 
ExpTyping (G) ( (E_Var x)) (T) " 

I IntCstI: "ExpTyping (G) ( (E_Value (V_Int q ))) (T_Int)" 

I BoolTruel: "ExpTyping (G) ( (E_Value (V_Bool true ))) (T_Bool) " 

I BoolFalsel: "ExpTyping (G) ( (E_Value (V_Bool false ))) (T_Bool) " 

I PlusI: "\<lbrakk>ExpTyping (G) (el) (T_Int) ; 
ExpTyping (G) (e2) (T_Int)\<rbrakk> \<Longrightarrow> 
ExpTyping (G) ((E_Plus el e2)) (T_Int)" 

I MinusI: "\<lbrakk>ExpTyping (G) (el) (T_Int) ; 
ExpTyping (G) (e2) (T_Int)\<rbrakk> \<Longrightarrow> 
ExpTyping (G) ((E_Minus el e2)) (T_Int)" 

I TimesI: "\<lbrakk>ExpTyping (G) (el) (T_Int) ; 
ExpTyping (G) (e2) (T_Int)\<rbrakk> \<Longrightarrow> 
ExpTyping (G) ((E_Times el e2)) (T_Int)" 

I Equall: "\<lbrakk>ExpTyping (G) (el) (T) ; 
ExpTyping (G) (e2) (T)\<rbrakk> \<Longrightarrow> 
ExpTyping (G) ((E_Equal el e2)) (T_Bool) " 

I Greaterl: "\<lbrakk>ExpTyping (G) (el) (T_Int) ; 
ExpTyping (G) (e2) (T_Int)\<rbrakk> \<Longrightarrow> 
ExpTyping (G) ((E_Greater el e2)) (T_Bool) " 
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I LessI: "\<lbrakk>ExpTyping (G) (el) (T_Int) ; 
ExpTyping (G) (e2) (T_Int)\<rbrakk> \<Longrightarrow> 
ExpTyping (G) ((E_Less el e2)) (T_Bool) " 

I Andl: "\<lbrakk>ExpTyping (G) (el) (T_Bool) ; 
ExpTyping (G) (e2) (T_Bool) \<rbrakk> \<Longrightarrow> 
ExpTyping (G) ( (E_And el e2)) (T_Bool) " 

I Orl: "\<lbrakk>ExpTyping (G) (el) (T_Bool) ; 
ExpTyping (G) (e2) (T_Bool) \<rbrakk> \<Longrightarrow> 
ExpTyping (G) ( (E_Or el e2)) (T_Bool) " 

I NotI: "\<lbrakk>ExpTyping (G) (e) (T_Bool)\<rbrakk> \<Longrightarrow> 
ExpTyping (G) ( (E_Not e)) (T_Bool) " 

I (* defn LookupD *) 

LookupDII: "LookupD (df) ( ( ( x , df ) # G ) ) " 

I LookupD2I: "\<lbrakk> df "= df ; 
LookupD (df) (G)\<rbrakk> \<Longrightarrow> 
LookupD (df) ( (( x , df ) # G ) ) " 

I (* defn Match *) 

Matchll: "\<lbrakk>ExpTyping (G) (e) (T)\<rbrakk> \<Longrightarrow> 
Match (G) (e) (M_In) (T) " 

I Match2I: "\<lbrakk>Lookup (x) ( (VarDecl m T) ) (G) ; 
m ~= M_In \<rbrakk> \<Longrightarrow> 
Match (G) ((E_Var x)) (M_0ut) (T) " 

I Match3I: "\<lbrakk>Lookup (x) ((VarDecl M_InOut T)) (G)\<rbrakk> \<Longrightarrow> 
Match (G) ((E_Var x)) (M_InOut) (T) " 

I (* defn MatchList *) 

MatchListll: "MatchList (G) ( [] ) ( [] ) " 

I MatchList2I: "\<lbrakk>Match (G) (e) (m) (T) ; 

MatchList (G) ((e_list)) ( (m_T_list) ) \<rbrakk> \<Longrightarrow> 
MatchList (G) (((e) # e_list)) (((m,T) # m_T_list))" 

I (* defn DeclTyping *) 

Emptyl: "DeclTyping (G) (D_Empty) 11 

I Blockl: "\<lbrakk>CommTyping (G) (c)\<rbrakk> \<Longrightarrow> 
DeclTyping (G) ( (D_Block c))" 

I UninitVarl: "\<lbrakk>DeclTyping ( (( x , (VarDecl M_InOut T) ) # G ) ) (d) \<rbrakk> 
\<Longrightarrow> 

DeclTyping (G) ( (DJJninitVar x T d) ) " 

I InitVarl: "\<lbrakk>ExpTyping (G) (e) (T) ; 

DeclTyping ( (( x , (VarDecl M_InOut T) ) # G ) ) (d)\<rbrakk> \<Longrightarrow> 
DeclTyping (G) ((D_InitVar x T e d) ) " 

I ConstantI: "\<lbrakk>ExpTyping (G) (e) (T) ; 

DeclTyping ( (( x , (VarDecl M_In T) ) # G ) ) (d)\<rbrakk> \<Longrightarrow> 
DeclTyping (G) ( (D_Constant x T e d) ) " 

I Prod: "\<lbrakk>DeclTyping ( ( (List. rev ((List. map 

(7.((x_0: :ident) , (m_0: :mode) , (T_0: :ty)) . (x_0, (VarDecl m_0 T_0))) x_m_T_list) ) @ G) ) ) 
DeclTyping ( (( p , (VarDecl M_In (T_Proc ((List. map 

C/.((x_0: :ident) , (m_0: :mode) , (T_0: :ty)) . (m_0,T_0)) x_m_T_list) ) ) ) ) # G ) ) (d2)\<rbrakk> 
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\<Longrightarrow> 

DeclTyping (G) ((D_Proc p (x_m_T_list) dl d2))" 

I (* defn CommTyping *) 

NullI: "CommTyping (G) (C.Null) " 

I Seql: "\<lbrakk>CommTyping (G) (cl) ; 
CommTyping (G) (c2) \<rbrakk> \<Longrightarrow> 
CommTyping (G) ((C_Seq cl c2))" 

I Assignl: "\<lbrakk> m ~= M_In ; 

Lookup (x) ((VarDecl m T) ) (G) ; 

ExpTyping (G) (e) (T)\<rbrakk> \<Longrightarrow> 

CommTyping (G) ((C_Assign x e))" 

I If ThenElsel : "\<lbrakk>ExpTyping (G) (e) (T_Bool) ; 
CommTyping (G) (cl) ; 

CommTyping (G) (c2) \<rbrakk> \<Longrightarrow> 
CommTyping (G) ( (C_If ThenElse e cl c2))" 

I Whilel: "\<lbrakk>ExpTyping (G) (e) (T_Bool) ; 
CommTyping (G) (c)\<rbrakk> \<Longrightarrow> 
CommTyping (G) ((C_While e c))" 

I Fori: "\<lbrakk>ExpTyping (G) (e) (T_Int) ; 
ExpTyping (G) (e') (T_Int) ; 

CommTyping ( (( x , (VarDecl M_In T_Int) ) # G ) ) (c)\<rbrakk> \<Longrightarrow> 
CommTyping (G) ((C_For x e e' c))" 

I Decll: "\<lbrakk>DeclTyping (G) (d)\<rbrakk> \<Longrightarrow> 
CommTyping (G) ((C_Decl d))" 

I ProcCalll: "\<lbrakk>ExpTyping (G) (e) ((T_Proc (m_T_list))) ; 
MatchList (G) ((e_list)) ( (m_T_list) ) \<rbrakk> \<Longrightarrow> 
CommTyping (G) ((C_ProcCall e (e_list)))" 

(*defns eval_comm *) 

inductive StoreUpdate : : "store \<Rightarrow> ident \<Rightarrow> va \<Rightarrow> store 
\<Rightarrow> bool" 

and ManySteps : : "cmd \<Rightarrow> store \<Rightarrow> integer \<Rightarrow> cmd \<Rightarrow> 

store \<Rightarrow> bool" 
and Trace : : "cmd \<Rightarrow> store \<Rightarrow> integer \<Rightarrow> trace \<Rightarrow> bool" 
and FullEvaluation : : "cmd \<Rightarrow> store \<Rightarrow> store \<Rightarrow> bool" 
and Compat :: " (ident*mode*ty) list \<Rightarrow> exp list \<Rightarrow> (ident*mode*ty*exp) list 

\<Rightarrow> bool" 

and OneStep : : "cmd \<Rightarrow> store \<Rightarrow> cmd \<Rightarrow> store \<Rightarrow> bool" 
and DeclEval : : "del \<Rightarrow> store \<Rightarrow> del \<Rightarrow> store \<Rightarrow> bool" 
where 

(* defn StoreUpdate *) 

Updatell: "StoreUpdate ( (( x , v )# mu ) ) (x) (v') ( (( x , v' )# mu ) )" 
I Update2I: "\<lbrakk> x ~= x' ; 

StoreUpdate (mu) (x) (v') (mu' )\<rbrakk> \<Longrightarrow> 
StoreUpdate ( (( x> , v )# mu ) ) (x) (v>) ( (( x' , v )# mu' ) )" 

I (* defn ManySteps *) 

ManyStepslI: "ManySteps (c) (mu) ( ) (c) (mu) " 

I ManySteps2I: "ManySteps (C_Null) (mu) (k) (C_Null) (mu) " 

I ManySteps3I: "\<lbrakk>OneStep (c) (mu) (c>) (mu') ; 

ManySteps (c') (mu') ( ( k - 1 ) ) (c") (mu" )\<rbrakk> \<Longrightarrow> 
ManySteps (c) (mu) (k) (c") (mu")" 
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I (* defn Trace *) 



Tracell: "Trace (c) (mu) ( ) ( [] )" 

I Trace2I: "Trace (C_Null) (mu) (k) ( [] )" 

I Trace3I: "\<lbrakk>OneStep (c) (mu) (c') (mu') ; 

Trace (c') (mu') ((k- 1))( (c ' _mu' _list) )\<rbrakk> \<Longrightarrow> 
Trace (c) (mu) (k) ( ((c',mu') # c'_mu'_list) )" 

I (* defn FullEvaluation *) 

Evalll: "FullEvaluation (CJJull) (mu) (mu) " 

I Eval2I: "\<lbrakk>OneStep (c) (mu) (c>) (mu') ; 
FullEvaluation (c') (mu') (mu' ' ) \<rbrakk> \<Longrightarrow> 
FullEvaluation (c) (mu) (mu'')" 

I (* defn Compat *) 

E_CompatlI: "Compat ( [] ) ( [] ) ( [] ) " 

I E_Compat2I: "\<lbrakk>Compat ( (x' _m'_T' _list) ) ((e'_list)) ( (x_m_T_e_list) )\<rbrakk> 
\<Longrightarrow> 

Compat (((x,m,T) # x' _m' _T' _list) ) (((e) # e'_list)) ( ( (x.m.T.e) # x_m_T_e_list) ) " 
I (* defn OneStep *) 

EJSullI: "OneStep ( (C_Seq C_Null c) ) (mu) (c) (mu) " 

I E_SeqI: "\<lbrakk>OneStep (cl) (mu) (cl') (mu ' ) \<rbrakk> \<Longrightarrow> 
OneStep ( (C_Seq cl c2) ) (mu) ( (C_Seq cl' c2) ) (mu')" 

I E_AssignI: "\<lbrakk>ExpEval (e) (mu) (v) ; 
StoreUpdate (mu) (x) (v) (mu' ) \<rbrakk> \<Longrightarrow> 
OneStep ( (C_Assign x e) ) (mu) (C_Null) (mu')" 

I E_IfThenElselI: "\<lbrakk>ExpEval (e) (mu) ((V_Bool true ))\<rbrakk> \<Longrightarrow> 
OneStep ( (C_If ThenElse e cl c2) ) (mu) (cl) (mu) " 

I E_IfThenElse2I: "\<lbrakk>ExpEval (e) (mu) ( (V_Bool false ))\<rbrakk> \<Longrightarrow> 
OneStep ( (C_If ThenElse e cl c2) ) (mu) (c2) (mu) " 

I E_WhilelI: "\<lbrakk>ExpEval (e) (mu) ( (V_Bool false ))\<rbrakk> \<Longrightarrow> 
OneStep ( (C_While e c) ) (mu) (C_Null) (mu) " 

I E_While2I: "\<lbrakk>ExpEval (e) (mu) ( (V_Bool true ))\<rbrakk> \<Longrightarrow> 
OneStep ( (C_While e c) ) (mu) ( (C_Seq c (C_While e c)) ) (mu) " 

I E_DecllI: "OneStep ((C_Decl D_Empty) ) (mu) (C.Null) (mu) " 

I E_Decl2I: "\<lbrakk>DeclEval (d) (mu) (d') (mu' ) \<rbrakk> \<Longrightarrow> 
OneStep ((C_Decl d) ) (mu) ((C_Decl d')) (mu')" 

I E_ForlI: "\<lbrakk>ExpEval (e) (mu) ((V_Int k) ) ; 
ExpEval (e') (mu) ((V_Int k')) ; 

( k > k' ) \<rbrakk> \<Longrightarrow> 
OneStep ( (C_For x e e' c) ) (mu) (C_Null) (mu) " 

I E_For2I: "\<lbrakk>ExpEval (e) (mu) ((V_Int k) ) ; 
ExpEval (e') (mu) ((V_Int k')) ; 

( k <= k' ) \<rbrakk> \<Longrightarrow> 
OneStep ( (C_For x e e' c) ) (mu) ( (C_Seq (C_Decl (D_Constant x T_Int (E_Value (V_Int k) ) (D_Block 
c))) (C_For x (E_Value (V_Int ( k + 1 ) )) (E_Value (V_Int k')) c)) ) (mu) " 

I E_ProcCallI: "\<lbrakk>ExpEval (e) (mu) ((V_Proc (x'_m'_T'_list) d) ) ; 

Compat ((x'_m'_T'_list)) ((e'_list)) ( (x_m_T_e_list) ) \<rbrakk> \<Longrightarrow> 
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OneStep ((C_ProcCall e (e'_list))) (mu) ((C_Decl (D_Aliases (x_m_T_e_list) d) ) ) (mu) " 
I (* defn DeclEval *) 

E_BlocklI: "DeclEval ((D_Block C_Null)) (mu) (D_Empty) (mu) " 

I E_Block2I: "\<lbrakk>OneStep (c) (mu) (c') (mu' ) \<rbrakk> \<Longrightarrow> 
DeclEval ( (D_Block c)) (mu) ((D_Block c>)) (mu')" 

I E_InitVarlI: "DeclEval ((D_InitVar x T e D_Empty) ) (mu) (D_Empty) (mu) " 
I E_InitVar2I: "\<lbrakk>ExpEval (e) (mu) (v) ; 

DeclEval (d) ( (( x , v )# mu ) ) (d') ( (( x , v' )# mu' ) )\<rbrakk> \<Longrightarrow> 
DeclEval ( (D_InitVar x T e d) ) (mu) ((D_InitVar x T (E_Value v>) d')) (mu')" 

I E_ConstlI: "DeclEval ((D_Constant x T e D_Empty)) (mu) (D_Empty) (mu) " 

I E_Const2I: "\<lbrakk>ExpEval (e) (mu) (v) ; 

DeclEval ( (subst_dcl (E_Value v ) x d ) ) (mu) (d') (mu' )\<rbrakk> \<Longrightarrow> 
DeclEval ((D_Constant x T e d) ) (mu) ( (D_Constant x T (E_Value v) d')) (mu')" 

I E_ProcI: "DeclEval ((D_Proc p (x_m_T_list) dl d) ) (mu) ( (subst_dcl (E_Value (V_Proc 
(x_m_T_list) dl) ) p d ) ) (mu) " 

I E_AliaslI: "DeclEval ((D_Alias x m T e D_Empty) ) (mu) (D_Empty) (mu) " 
I E_Alias2I: "\<lbrakk>ExpEval (e) (mu) (v) ; 

DeclEval ( (subst_dcl (E_Value v ) x d ) ) (mu) (d') (mu' )\<rbrakk> \<Longrightarrow> 
DeclEval ((D_Alias x M_In Ted)) (mu) (d') (mu')" 

I E_Alias3I: "\<lbrakk> m ~= M_In ; 
Fetch (mu) (y) (v) ; 

DeclEval (d) ( (( x , v )# mu ) ) (d') ( ( ( x , v' )# mu' ) ) ; 
StoreUpdate (mu') (y) (v') (mu' ' )\<rbrakk> \<Longrightarrow> 

DeclEval ((D_Alias x m T (E_Var y) d) ) (mu) ( (D_Alias x m T (E_Var y) d')) (mu")" 
I E.AliaseslI: "DeclEval ((D_Aliases [] d)) (mu) (d) (mu) " 

I E_Aliases2I: "DeclEval ((D_Aliases (x_m_T_e_list) D_Empty)) (mu) (D_Empty) (mu) " 

I E_Aliases3I: "\<lbrakk>DeclEval ((D_Alias x m T e (D_Aliases (x_m_T_e_list) d))) (mu) (d') 
(mu ' ) \<rbrakk> \<Longrightarrow> 

DeclEval ((D_Aliases ((x,m,T,e) # x_m_T_e_list) d) ) (mu) (d') (mu')" 

code_module Evaluation 
contains 

testl = "ExpEval ( ( (E_Plus (E_Value (V_Int 2 )) (E_Value (V_Int 3 ))) ) ) ( Nil ) ( _ )" 

test2 = "ExpEval ( ( (E_Plus (E_Var "X") (E_Value (V_Int 3 ))) ) ) ( ( [( "X" , (V_Int 5 ))]) ) ( 

_ )" 

ML {* DSeq.hd Evaluation. testl *} 

code_module Typing (* file "Typing. sml" *) 
contains 

testl = "ExpTyping ( Nil ) ((E_Var "X")) (T_Int)" 

test2 = "ExpTyping ( ( ( "X" , (VarDecl M_In T_Int)) # [( "Y" , (VarDecl M_In T_Int))]) ) 
((E_Equal ( (E_Plus (E_Var "X") (E_Value (V_Int 1 ))) ) (E_Var "Y"))) (T_Bool) " 

ML {* Typing. testl *} 
ML {* Typing. test2 *} 
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code.module Evaluation 
contains 

testl = "ExpEval ( ( (E.Pius (E_Value (V.Int 2 )) (E.Value (V_Int 3 ))) ) ) ( Nil ) ( _ )" 

test2 = "StoreUpdate ( (("X", (V.Int 2 )) # [("Y", (V.Int 3 ))]) ) ("X") ((V.Int 3 )) ( _ )" 

test3 = "ManySteps ( (C.Assign "X" (E_Plus (E_Var "X") (E_Value (V_Int 1 )))) ) ( 
([("X", (V.Int 2 ))]) )( 1 )(_)(_ )" 

test4 = "FullEvaluation ( (C_Seq (C_Assign "X" (E.Pius (E_Var "X") (E_Var "Y"))) (C_Assign 
"Y" (E_Plus (E_Var "X") (E_Var "Y")))) ) ( (("X", (V.Int 42 )) # [("Y", (V.Int 12 ))]) ) 
( _ )" 

test5 = "FullEvaluation ( (C_If ThenElse (E_Var "B") (C_Assign "X" (E_Value (V_Int 1 ))) 
(C.Assign "Y" (E_Value (V_Int 1 )))) ) ( (( "B (V.Bool true )) # ("X", (V.Int )) # 
[("Y", (V.Int ))]) )(_)" 

ML {* DSeq.hd Evaluation. testl *} 

ML {* DSeq.hd Evaluation. test 2 *} 

ML {* DSeq.hd Evaluation. test3 *} 

ML {* DSeq.hd Evaluation. test4 *} 

ML {* DSeq.hd Evaluation. test5 *} 

code.module Typing (* file "Extraction. sml" *) 
contains 

testl = "CommTyping ( ( [( "X" , (VarDecl M.InOut T.Int))]) ) ((C.Assign "X" (E.Pius (E.Var "X") 
(E_ Value (V.Int 1 )))))" 

test2 = "CommTyping ( (( "X" , (VarDecl M.InOut T.Int)) # ( "Y" , (VarDecl M.In T.Bool)) # 

[("B" , (VarDecl M_ In T.Bool))]) ) ( (C.If ThenElse (E.Var "B") (C.Assign "X" (E.Value (V.Int 1 

))) (C.Assign "Y" (E.Value (V.Int 1 )))))" 

ML {* Typing. testl *} 
ML {* Typing. test2 *} 

code.module Evaluation 
contains 

testl = "FullEvaluation ((C.Decl (D.Constant "B" T.Bool (E.Value (V.Bool false )) (D.Block 
(C.IfThenElse (E.Var "B") (C.Assign "X" (E.Value (V.Int 1 ))) (C.Assign "Y" (E.Value (V.Int 
1 )))))))) ( (("X", (V.Int )) # [("Y", (V.Int ))]) ) ( _ )" 

test2 = "FullEvaluation ((C.For "I" (E.Value (V.Int 1 )) (E.Var "X") (C.Assign "Y" (E.Pius 
(E.Var "Y") (E.Var "X"))))) ( (("X", (V.Int 5 )) # [("Y", (V.Int ))]) ) ( _ )" 

ML {* DSeq.hd Evaluation. testl *} 
ML {* DSeq.hd Evaluation. test2 *} 

code.module Typing (* file "Extraction. sml" *) 
contains 

testl = "CommTyping ( ([( "X" , (VarDecl M.InOut T.Int))]) ) ((C.Assign "X" (E.Pius (E.Var "X") 
(E.Value (V.Int 1 )))))" 

test2 = "CommTyping ( ([( "X" , (VarDecl M.InOut T.Int))]) ) ((C.Decl (D.InitVar "X" T.Int 
(E.Value (V.Int 42 )) (D.Block (C.Seq (C.Assign "X" (E.Pius (E.Var "Y") (E.Value (V.Int 1 
)))) (C.Seq (C.Assign "X" (E.Pius (E.Var "X") (E.Value (V.Int 1 )))) (C.Assign "Y" (E.Minus 
(E.Var "Y") (E.Value (V.Int 1 ))))))))))" 

test3 = "CommTyping ( ([( "X" , (VarDecl M.InOut T.Int))]) ) ((C.Decl (D.InitVar "Y" T.Bool 
(E.Value (V.Bool false )) (D.Block (C.For "I" (E.Value (V.Int 1 )) (E.Var "X") (C.Assign 
"X" (E.Pius (E.Var "Y") (E.Value (V.Int 1 )))))))))" 
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ML {* Typing. test 1 *> 
ML {* Typing. test2 *} 
ML {* Typing. test3 *} 

code.module Typing 
contains 

testl = "CommTyping ( ([( "R" , (VarDecl M_0ut T_Bool))]) ) ((C_Decl (D_InitVar "Y" T_Int (E_Value 
(V_Int 42 )) (D_Proc "P" ( ( " I " ,M_InOut ,T_Int) # [("B" ,M_0ut,T_Bool)] ) (D_Block (C_Assign 
"B" ( (E_Equal (E_Var "I") (E_Value (V_Int 1 ))) ) )) (D_Block (C_ProcCall (E_Var "P") 
(((E_Var "Y")) # [((E_Var "R" ))]))))))) " 

test2 = "CommTyping ( ([( "R" , (VarDecl M_0ut T_Int))]) ) ((C_Decl (D_Proc "Incr" 
(("N" ,M_In,T_Int) # [( "R" ,M_0ut,T_Int)] ) (D_Block (C_Assign "R" (E_Plus (E_Var "N") 
(E_ Value (V_Int 1 ))))) (D_Proc "Ack" ( ( "M" ,M_In,T_Int) # ( "N" ,M_In, T.Int) # 
[("R",M_Out,T_Int)]) (D_InitVar "P" (T_Proc ( (M_In,T_Int) # [(M_0ut,T_Int)] )) (E_Var "Incr") 
(D_Block (C_Seq (C_For "I" (E_Value (V_Int 1 )) (E_Var "M") (C_Decl (D_Proc "Aux" 
(("S" ,M_In,T_Int) # [( "R" ,M_0ut ,T_Int)] ) (D_InitVar "X" T_Int (E_Value (V_Int )) (D_Block 
(C_Seq (C_ProcCall (E_Var "P") ( ( (E_Value (V_Int 1 ))) # [((E_Var "X"))])) (C_Seq (C_For "J" 
(E_ Value (V_Int 1 )) (E_Var "S") (C_ProcCall (E_Var "P") (((E_Var "X")) # [((E_Var 
"X"))]))) (C_Assign "R" (E_Var "X")))))) (D_Block (C_Assign "P" (E_Var "Aux")))))) 
(C_ProcCall (E_Var "P") (((E_Var "N")) # [((E_Var "R"))] ))))) (D_Block (C_ProcCall (E_Var 
"Ack") (((E_Value (V_Int 2 ))) # ( (E_Value (V_Int 2 ))) # [((E_Var "R" ))]))))))) " 

test24 = "CommTyping ( ([( "R" , (VarDecl M_0ut T_Int))]) ) ((C_Decl (D_Proc "Comp" 
( [("PI" ,M_In, (T_Proc ( (M_In,T_Int) # [(M_Qut ,T_Int)] ) ) )] ® [( "P2" ,M_In, (T_Proc ( (M_In,T_Int) # 
[(M_Dut,T_Int)] )))] ® [("P3" ,M_0ut, (T_Proc ( (M_In,T_Int) # [(M_Qut ,T_Int)] ) ) )] ) (D_Proc "P" 
( ( "N" ,M_In,T_Int) # [( "R" ,M_0ut,T_Int)] ) (D_InitVar "X" T_Int (E_Value (V_Int )) (D_Block 
(C_Seq (C_ProcCall (E_Var "PI") (((E_Var "N")) # [((E_Var "X"))])) (C_ProcCall (E_Var "P2") 
(((E_Var "X")) # [((E_Var ' 'R' '))]))))) (D_Block (C_Assign "P3" (E_Var "P")))) (D_Proc 
"Incr" ( ( "N" ,M_In,T_Int) # [( "R" ,M_0ut ,T_Int)] ) (D_Block (C_Assign "R" (E_Plus (E_Var 
"N") (E_Value (V_Int 1 ))))) (D_Proc "IncrN" ( ( "M" ,M_In,T_Int) # ("N" ,M_In,T_Int) # 
[("R" ,M_0ut,T_Int)]) (D_InitVar "P" (T_Proc ( (M_In,T_Int) # [(M_0ut,T_Int)] )) (E_Var "Incr") 
(D_Block (C_Seq (C_For "I" (E_Value (V_Int 1 )) (E_Var "N") (C_ProcCall (E_Var "Comp") 
(((E_Var "P")) # ((E_Var "P")) # [((E_Var "P"))]))) (C_ProcCall (E_Var "P") ( ( (E_Var 
"M")) # [((E_Var "R"))]))))) (D_Block (C_ProcCall (E_Var "IncrN") ( ( (E_Value (V_Int 3 ))) # 
((E_Value (V_Int 3 ))) # [((E_Var "R" ))])))))))) " 

ML {* Typing. testl *} 
ML {* Typing. test2 *} 
ML {* Typing. test24 *> 

code_module Evaluation 
contains 

testl = "ManySteps ((C_Decl (D_InitVar "Y" T_Int (E_Value (V_Int 42 )) (D_Proc "P" 

(("I" ,M_InOut,T_Int) # [( "B" ,M_0ut ,T_Bool)] ) (D_Block (C_Assign "B" ( (E_Equal (E_Var "I") 

(E_ Value (V_Int 1 ))) ) )) (D_Block (C_ProcCall (E_Var "P") ( ( (E_Var "Y")) # [((E_Var 

"R" ))])))))) ) ( ([("R", (V.Bool false ))]) )( 1 )(_)(_ )" 

test2 = "ManySteps ((C_Decl (D_InitVar "Y" T_Int (E_Value (V_Int 42 )) (D_Proc "P" 

(("I" ,M_InOut,T_Int) # [( "B" ,M_0ut ,T_Bool)] ) (D_Block (C_Assign "B" ( (E_Equal (E_Var "I") 

(E_ Value (V_Int 1 ))) ) )) (D_Block (C_ProcCall (E_Var "P") ( ( (E_Var "Y")) # [((E_Var 

"R" ))])))))) ) ( ([("R", (V.Bool false ))]) ) ( 2 )(_)(_ )" 

test3 = "ManySteps ((C.Decl (D.InitVar "Y" T.Int (E.Value (V.Int 42 )) (D.Proc "P" 
(("I" ,M_In,T_Int) # [( "B" ,M_0ut , T.Bool)] ) (D.Block (C.Assign "B" ( (E.Equal (E.Var "I") 
(E.Value (V.Int 1 ))) ) )) (D.Block (C.ProcCall (E.Var "P") (((E.Var " Y" ) ) # [((E.Var 
"R" ))])))))) ) ( ([("R", (V.Bool false ))]) )( 3 )(_)(_ )" 

testlO = "FullEvaluation ((C.Decl (D.InitVar "Y" T.Int (E.Value (V.Int 42 )) (D.Proc "P" 
(("I" ,M_In, T.Int) # [( "B" ,M_0ut, T.Bool)] ) (D.Block (C.Assign "B" ( (E.Equal (E.Var "I") 
(E.Value (V.Int 1 ))) ) )) (D.Block (C.ProcCall (E.Var "P") (((E.Var "Y")) # [((E.Var 
"R" ))])))))) ) ( ([("R", (V.Bool true ))]) ) ( _ )" 



19 



test20 = "Trace ((C_Decl (D_InitVar "Y" T_Int (E_Value (V_Int 42 )) (D_Proc "P" 

(("I" ,M_In,T_Int) # [(' 'B" ,M_Out, T.Bool) ] ) (D_Block (C_Assign "B" ( (E_Equal (E_Var "I") 

(E_ Value (V.Int 1 ))) ) )) (D_Block (C_ProcCall (E_Var "P") ( ( (E_Var "Y")) # [((E_Var 

' 'R' '))])))))) ) ( ([("R", (V.Bool false ))]) ) ( 20 ) ( _ ) " 

test24 = "FullEvaluation ((C_Decl (D_Proc "Incr" ( ( "N" ,M_In,T_Int) # [("R" ,M_Qut ,T_Int)] ) 
(D_Block (C_Assign "R" (E_Plus (E_Var "N") (E_Value (V.Int 1 ))))) (D_Proc "Plus" 
( ( "M" ,M_In,T_Int) # ( "N" ,M_In,T_Int) # [( "R" ,M_0ut ,T_Int)] ) (D_InitVar "X" T_Int (E_Var 
"M") (D_Block (C_Seq (C_For "I" (E_Value (V.Int 1 )) (E_Var "N") (C_ProcCall (E_Var 
"Incr") (((E_Var "X")) # [((E_Var "X"))]))) (C_Assign "R" (E_Var "X"))))) (D_Block 
(C_ProcCall (E_Var "Plus") (((E_Value (V.Int 3 ))) # ((E.Value (V.Int 5 ))) # [((E_Var 
"R"))]))))))) ( ([("R", (V.Int ))]) ) ( _ )" 

test25 = "FullEvaluation ((C.Decl (D.Proc "Comp" ( [( "PI " ,M_In, (T_Proc ((M.In.T.Int) # 

[(M.Out.T.Int)])))] Q [("P2" ,M_In, (T.Proc ((M.In.T.Int) # [(M.Out.T.Int)] )))] @ 

[("P3" .M.Out, (T.Proc ( (M.In.T.Int) # [(M.Out.T.Int)])))]) (D.Proc "P" (( "N" .M.In.T.Int) # 

[("R" , M.Out.T.Int)]) (D.InitVar "X" T.Int (E.Value (V.Int )) (D.Block (C.Seq (C.ProcCall 

(E.Var "PI") (((E.Var "N" ) ) # [((E.Var "X"))])) (C.ProcCall (E.Var "P2") ( ( (E.Var "X")) # 

[((E.Var "R"))]))))) (D.Block (C.Assign "P3" (E.Var "P")))) (D.Proc "Incr" 

(("N" .M.In.T.Int) # [( "R" .M.Out.T.Int)] ) (D.Block (C.Assign "R" (E.Pius (E.Var "N") 

(E.Value (V.Int 1 ))))) (D.Proc "IncrN" (( "M" .M.In.T.Int) # ( "N" .M.In.T.Int) # 

[("R" .M.Out.T.Int)]) (D.InitVar "P" (T.Proc ((M.In.T.Int) # [(M.Out.T.Int)])) (E.Var "Incr") 

(D.Block (C.Seq (C.For "I" (E.Value (V.Int 1 )) (E.Var "N") (C.ProcCall (E.Var "Comp") 

(((E.Var "P")) # ((E.Var "P")) # [((E.Var "P"))]))) (C.ProcCall (E.Var "P") (((E.Var 

"M")) # [((E.Var "R" ))]))))) (D.Block (C.ProcCall (E.Var "IncrN") (((E.Value (V.Int 3 ))) # 

((E.Value (V.Int 3 ))) # [((E.Var "R" ))]))))))) ) ( ([( "R" , (V.Int ))]) ) ( _ )" 

test30 = "FullEvaluation ((C.Decl (D.Proc "Incr" (( "N" .M.In.T.Int) # [( "R" , M.Out , T.Int)] ) 
(D.Block (C.Assign "R" (E.Pius (E.Var "N") (E.Value (V.Int 1 ))))) (D.Proc "Ack" 
(("M" .M.In.T.Int) # (" N" .M.In.T.Int) # [( "R" , M.Out , T.Int)] ) (D.InitVar "P" (T.Proc 
((M.In.T.Int) # [(M.Out.T.Int)])) (E.Var "Incr") (D.Block (C.Seq (C.For "I" (E.Value (V.Int 1 
)) (E.Var "M") (C.Decl (D.Constant "Q" (T.Proc ( (M.In.T.Int) # [(M.Out.T.Int)])) (E.Var "P") 
(D.Proc "Aux" (("S" .M.In.T.Int) # [( "R" , M.Out , T.Int)] ) (D.InitVar "X" T.Int (E.Value (V.Int 
)) (D.Block (C.Seq (C.ProcCall (E.Var "Q") (((E.Value (V.Int 1 ))) # [((E.Var "X"))])) 
(C.Seq (C.For "J" (E.Value (V.Int 1 )) (E.Var "S") (C.ProcCall (E.Var "Q") (((E.Var "X")) 
# [((E.Var "X"))]))) (C.Assign "R" (E.Var "X")))))) (D.Block (C.Assign "P" (E.Var 
"Aux"))))))) (C.ProcCall (E.Var "P") (((E.Var "N" ) ) # [((E.Var "R" ))])))) ) (D.Block 
(C.ProcCall (E.Var "Ack") (((E.Value (V.Int 3 ))) # ((E.Value (V.Int 2 ))) # [((E.Var 
"R"))]))))))) ( ([("R", (V.Int ))]) ) ( _ )" 

ML {* print.depth 1000 *} 

ML {* DSeq.hd Evaluation. test24 *} 

ML {* DSeq.hd Evaluation. test 2 5 *} 

ML {* DSeq.hd Evaluation. test30 *} 

ML {* val trace = DSeq.hd Evaluation. test24 *> 

ML {* List. nth (trace, 0) *} 

ML {* List. nth (trace, 1) *} 

ML {* List. nth (trace, 2) *} 



end 
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